Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

bonch writes "Google Voice Mails have been discovered in Google's search engine, providing audio files, names, and phone number as if you were logged in and checking your own voice mail. Some appear to be test messages, while others are clearly not. Google has since disabled indexing of voice mails outside your own website."

Honestly, I wonder how many people post stuff on some obscure URL thinking only the friends and family they send it to would see it, just to find out watching CNN Headline News that it got indexed by Google and journalists were reporting on bloggers blogging about it.

"[...] we can certainly understand that users would want to make them [voice messages] public on their sites but not necessarily searchable directly outside of their own website. We made a change to prevent those to be crawled so only the site owner can decide to index them."

So in other words, Google supports robots.txt? Still, if you put them on your website, some search engine will index them. Moral of the story: don't make something accessible by anyone on the web unless you want anyone to be able to access it.

IMHO, totally a non-issue: google doesn't spider their own service, but if you post links to your voice mail on a public page with a permissive robots.txt, it gets spidered and shows up in search results with them or anyone else.

I completely get why Google is now removing these from search results -- they must be seen to be fixing this before it blows up as a scandal -- but shouldn't this sort of media panderage qualify as the evil they purportedly "don't be"? You'd think they're big enough to stand up and enlighten morons about robots.txt specifically, and about the general truth that when you post something on the internet, it's there forever.

The real problem, IMO, is that Google Voice voicemails are world-readable to begin with. [...] The url scheme is "https://www.google.com/voice/fm/20-digit account id/long b64 encoded binary string", and these urls can be viewed by unauthenticated users

And my gmail account is available to anyone who knows my username and an n-character string (hunter2, starred for obvious resons).

This doesn't sound like a bug or leak, more like some users set up links or otherwise made their messages public.

I can't log into google voice without telling my browser to accept cookies from google. If they are going to use cookie-based authorization, then there is absolutely no excuse for handing out the data within an account to people who don't have the right cookie authorization.

Even if they don't index it, the URLs are still going to be accessible to anyone who can figure out the URL.It appears to be a classic case of security through obscurity.Obscurity as an extra layer is fine, but google voice seems to have no layers excepet for obscurity and that's a ridiculous design decision for a company as big a reptuation for technical acumen as google.

The obscurity in this case happens to be a random number that's at least 100 bits long if not a lot longer. Sure I could guess that, but I could guess your 128 bit symmetric cipher key too.

No, what happened here is that people used this extremely obscure URL to provide public links to their voicemail messages and google happily indexed those links. And, you know, when you publicize links to things, they show up in search engines.

Now, google could additionally require authorization before letting people have access to those links, but the way you find out what the big long random number is is by clicking on something saying something along the lines of "I want to share this voicemail with someone." which means that you want someone other than yourself to have access to it. Making the link require authorization to get to would completely defeat the purpose of sharing it with someone.

No, in my opinion, what google should do is have a per-voicemail switch that lets you decide whether or not the public sharable link works or not. Then you can share the link with a friend, and when you want to close up access so your friend can't share the link with their friend or post it on the internet or whatever, you click on the little check box and the link stops working.

Voicemails that you schedule for deletion should become private by default when they hit the trash can.